An incorrect security declaration would allow any authenticated user to edit kupu settings--the wysiwyg editor for old versions of Plone. Versions affected are all versions Plone 3 through 4.2. Upstream hotfix: https://plone.org/security/20150910/ CVE request: http://seclists.org/oss-sec/2015/q3/588